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Abstract 

We present abstraction techniques that transform a given non-hnear dynamical sys- 
tem into a linear system or an algebraic system described by polynomials of bounded 
degree, such that, invariant properties of the resulting abstraction can be used to infer 
invariants for the original system. The abstraction techniques rely on a change-of-basis 
transformation that associates each state variable of the abstract system with a function 
involving the state variables of the original system. We present conditions under which 
a given change of basis transformation for a non-linear system can define an abstraction. 
Furthermore, the techniques developed here apply to continuous systems defined by Or- 
dinary Differential Equations (DDEs), discrete systems defined by transition systems and 
hybrid systems that combine continuous as well as discrete subsystems. 

The techniques presented here allow us to discover, given a non-linear system, if a 
change of bases transformation involving degree-bounded polynomials yielding an alge- 
braic abstraction exists. If so, our technique yields the resulting abstract system, as well. 
This approach is further extended to search for a change of bases transformation that 
abstracts a given non-linear system into a system of linear differential inclusions. Our 
techniques enable the use of analysis techniques for linear systems to infer invariants for 
non-linear systems. We present preliminary evidence of the practical feasibility of our 
ideas using a prototype implementation. 



1 Introduction 



In this paper, we explore a class of abstractions for non-linear autonomous systems (con- 
tinuous, discrete and hybrid systems) using Change- of- Bases (CoB) transformations. CoB 
transformations are obtained for a given system by expressing the dynamics of the system 
in terms of a new set of variables that relate to the original system variables through the 
CoB transformation. Such a transformation is akin to studying the system under a new set 
of "bases". We derive conditions on the transformations such that (a) the CoB transforma- 
tions also define an autonomous system and (b) the resulting system abstracts the original 
system: i.e., all invariants of the abstract system can be transformed into invariants for the 
original system. Furthermore, we often seek abstract systems through CoB transformations 
whose dynamics are of a simpler form, more amenable to automatic verification techniques. 
For instance, it is possible to use CoB transformations that relate an ODE with non-linear 
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right-hand sides to an affine ODE, or transformations that reduce the degree of a system with 
polynomial right-hand sides. If such transformations can be found, then safety analysis tech- 
niques over the simpler abstract system can be used to infer safety properties of the original 
system. 

In this paper, we make two main contributions: (a) we define CoB transformations for 
continuous, discrete and hybrid systems and provide conditions under which a given transfor- 
mation is valid; (b) we provide search techniques for finding CoB transformations that result 
in a polynomial system whose right-hand sides are degree limited by some limit d > 1. Specif- 
ically, the case d = 1 yields an afhne abstraction; and (c) we provide experimental evidence of 
the application of our techniques to a variety of ordinary differential equations (ODEs) and 
discrete programs. 

The results in this paper extend our previously published results that appeared in HSCC 
2011 [13]. The contributions of this paper include (a) an extension from linearizing CoB trans- 
formations to degree-bounded polynomial CoB transformations, (b) extending the theory from 
purely continuous system to discrete and hybrid systems, and (c) an improved implementa- 
tion that can handle hybrid systems with some evaluation results using this implementation. 
On the other hand, our previous work also included an extension of the theory to differential 
inequalities and iterative techniques over cones. These extensions are omitted here in favor 
of an extended treatment of the theory of differential equation abstractions for continuous, 
discrete and hybrid systems. 

1.1 Motivating Examples 

In this section, we motivate the techniques developed in this paper by means of a few illus- 
trative examples involving purely continuous ODEs and purely discrete programs . 

Our first example concerns a continuous system defined by a system of Ordinary Differ- 
ential Equations (ODEs): 

Example 1.1. Consider a continuous system over {x,y}: x = xy + 2x, y = —^y'^ + 7y + 1, 
with initial conditions given by the set x G [0,1], y G [0,1]. Using the transformation a : 
{x,y) I— {wi,W2,W3) wherein ai{x,y) = x, a2{x,y) = xy and a3{x,y) = xy'^ , we find that 
the dynamics over w can be written as 

Wi = 2wi + W2, 11)2 = ^1+ 9W2 + ^W3, W3 = 2W2 + I6W3 

Its initial conditions are given by wi G [0,1], W2 G [0,1], G [0,1]. We analyze the 
system using the TimePass tool as presented in our previous work f3Tl J to obtain polyhedral 
invariants: 

-Wi + 2w2 > -1 A tt;3 > A ^2 > A 

—16^1 -|- 32^2 — —17 A 32w2 — W3 > —1 A 

2wi - Aw2 + I7w3 > -4 A 286'u;i - 32^2 + > -32 A 

Substituting back, we can infer polynomial inequality invariants on the original system includ- 
ing, 

-x + 2xy>-l A xy'^>0 A -16x + 32xy - xy"^ > -17 
x>0 A 2x - Axy + 17xy'^ > -4 A • • • 
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proc computePCint k) 
int x,y; 
assert ( K > 0) ; 
X := y := 0; 
while ( y < k ){ 

X := X + y * y; 

y := y + 1; 

} 

end-function 



proc computePAbs(int k) 
int x,y,y2; 
assertC K > 0) ; 
X := y := y2 := 0; 
while ( y < k ){ 

X := X + y2; 

y2 := y2 + 2 * y + 1; 

y := y + 1; 

> 

end-function 



Figure 1: Program showing a benchmark example proposed by Petter [2 
obtained by a change of basis (x ^ x,y ^ y,y2 y^). 



and its abstraction 



Finally, we integrate the linear system to infer the following conserved quantity for the 
underlying non-linear system: 

("5? + TS2 (50 + 7V51) e(-9+-^)* + ife (50 - 7^51) £-(9+^)*) x+ 
( ( 7e9* - ^/5Te9* - 14e(9+v^)*+ 

__l_e-9*-(9+v^)* I 7g9t+(-9+V5T)t+(9+V5T)t^ | | 



\ 



51e 



9t+(-9+v^)t+(9+v^)t 



^_i_e-9*-(9+v^)* ^e^* - 2e('^+^)* + g9t+(-9+V5T)t+(9+V5T)i^^ ^^2 

Finally, ifx{0) 7^ 0, the map a is invertihle and therefore, the ODE above can he integrated. 

Note that not every transformation yields a linear abstraction. In fact, most transfor- 
mations will not define an abstraction. The conditions for an abstraction are discussed in 
Section\M ^ 

Next, we motivate our approach on purely discrete programs, showing how CoB transfor- 
mations can linearize a discrete program with non-linear assignments, modeled by a transition 
system [21[ . In turn, we show how invariants of the abstract linearized program can be trans- 
ferred back. 

Example 1.2. FigureUl shows an example proposed originally by Petter f2^ J that considers a 
program that sums up all squares from 1 to for some input K >{). Consider a very simple 
change of basis transformation wherein we add a new variable "y2" that tracks the value of 
as the loop is executed. It is straightforward to write assignments for "y2" in terms of 
itself, x,y. Doing so for this example does not necessitate the tracking of higher degree terms 
such as y^,x^y^ and so on. Finally, the resulting program has affine guards and assignments, 
making it suitable for polyhedral abstract interpretation IC , Tdi J. The polyhedral analysis yields 
linear invariants at the loop head and the function exit in terms of the variables x,y,y2. We 
may safely substitute in place of y2 and obtain invariants over the original program. The 
non-linear invariants obtained at the function exit are shown below: 

4x + 18y - 7y2 > 11 a 4 < 2x + 7y - Sy^ a 9 < x + 12y - Sy^ A 1 < y A 
3y-y^<2 A 5y-y2<6 A 6y-y2<9 A k = y 
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In this example, the change of basis to can, perhaps, be inferred from the syntax of this 
program. However, we demonstrate other situations in this paper, wherein the change of basis 
cannot be inferred from the expressions in the program using syntactic means. 

The invariant 

6x = 2k^ + 3k^ + k, 

discovered by Fetter and many other subsequent works such as the complete approach for P- 
solvable loops by Kovacs fT^J can also be discovered by Karr's analysis when the term y^ is 
introduced into the change- of -basis transformations in addition to y"^ . ▲ 

1.2 Related Work 

Many different types of discrete abstractions liave been studied for liybrid systems fl|] including 
predicate abstraction [39] and abstractions based on invariants [25|]. Tlie use of counter- 
example guided iterative abstraction-refinement has also been investigated in the past (Cf. 
Alur et al. [2] and Clarke et al. 0], for example). In this paper, we consider continuous 
abstractions for continuous systems specified as ODEs, discrete systems and hybrid systems 
using a change of bases transformation. As noted above, not all transformations can be used 
for this purpose. Our abstractions for ODEs bear similarities to the notion of topological 



semi-conjugacy between flows of dynamical systems 231 ]. 

Previous work on invariant generation for hybrid system by the author constructs invari- 
ants by assuming a desired template form (ansatz) with unknown parameters and appl yin g 



the "consecution" conditions such as strong consecution and constant scale consecution [38|. 
Matringe et al. present generalizations of these conditions using morphisms [22]. Therein, 
they observe that strong and constant scale consecution conditions correspond to a linear 
abstraction of the original non-linear system of a restrictive form. Specifically, the original 
system is abstracted by a system of the form ^ = for strong consecution, and a system 
of the form ^ = Ax for constant-scale consecution. This paper builds upon this observation 
by Matringe et al. using fixed-point computation techniques to search for a general linear 
abstraction that is related to the original system by a change of basis transformation. Our 



work is also related to the technique of differential invariants proposed by Platzer et al. [29|. 
At a high level Platzer et al. attempt to prove an invariant p = for a continuous system 
(often a subsystem of a larger hybrid system) using differential invariant rule wherein the state 
assertion ^ = is established. Likewise, to prove p < 0, it seeks to establish ^ < 0. In this 
paper, we may view the same process through a CoB transformation w i— >• p{x) that allows 
us to write the abstract dynamics as ^ = 0. Going further, we seek to compute w i— )■ a{x) 
that maps the dynamics to an affine or a polynomial system. On the other hand, differential 
invariants allow us to reason about Boolean combinations of assertions and embed into a rich 
dynamic-logic framework combining discrete and continuous actions on the state. The work 



here and its extension to differential inequalities 3J] can be utilized in such a framework. 



Fixed point techniques for derivin g inv ariants of differential equations have been proposed 



by the author in previous papers [331. l37]These techniques have addressed the derivation of 



polyhedral invariants for affine systems [37| and algebraic invariants for systems with polyno- 
mial right-hand sides [33]. In this technique, we employ the machinery of fixed-points. Our 
primary goal is not to derive invariants, per se, but to search for abstractions of non-linear 
systems into linear systems. 
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Discrete Systems: There has been a large body of work focused on the use of algebraic tech- 
niques for deriving invariants of programs. Previous work by the author focuses on deriving 
polynomial equality invariants for programs, automatically, by setting up template polynomial 
invariants with unknown coefficients and deriving constraints on values of these coefficients 
to ensure invariance [s^, [s^ . Carbonell et al. present loop invariant generation techniques 
by solving recurrences and computing polynomial ideas to capture algebraic properties of the 
reachable states [s^] and subsequently using the descending abstract interpretation over ideals 



with widening over ideals to ensure termination [3l|] . The approach is extended to polyhedral 
cones generated by polynomial inequalities to generate polynomial inequality invariants Q]- 
Another set of related techniques concern the use of linear invariant generation techniques 
for polynomial equality invariant generation. Miiller-Olm and Seidl explore the use of linear 
algebraic techniques, wherein a vector space of matrices are used to summarize the trans- 
formation from the initial state of a program to a given location. This space is then used 
to generate polynomial invariants of the program [24]. Likewise, the work of Colon explores 
degree-bounded restrictions to Nullstellensatz to enable linear algebraic techniques to generate 
polynomial invariants . More recently, the work of Kovacs uses sophisticated techniques for 
solving recurrence equations over so-called P-solvable loops to generate polynomial invariants 
for them [l^ . 

Finally, our approach is closely related to Carlemann embedding that can be used to 
linearize a given differential equation with polynomial right-hand sides [l^ . The standard 
Carlemann embedding technique creates an infinite dimensional linear system, wherein, each 
dimension corresponds to a monomial or a basis polynomial. In practice, it is possible to 
create a linear approximation with known error bounds by truncating the monomial terms 
beyond a degree cutoff. Our approach for differential equation abstractions can be roughly 
seen as a search for a "finite submatrix" inside the infinite matrix created by the Carleman 
linearization. The rows and columns of this submatrix correspond to monomials such that 
the derivative of each monomial in the submatrix is a linear combination of monomials that 
belong the submatrix. Note, however, that while Carleman embedding is defined using some 
basis for polynomials (usually power-products), our approach can derive transformations that 
may involve polynomials as opposed to just power-products. 

Organization: The rest of this paper presents our approach for Ordinary Differential Equa- 
tions in Section [2j The ideas for discrete systems are presented in Section [3] by first presenting 
the theory for simple loops and then extending it to arbitrary discrete programs modeled by 
transition systems. The extensions to hybrid systems are presented briefly by suitably merg- 
ing the techniques for discrete programs with those for ODEs. Finally, Section [5] presents 
an evaluation of the ideas presented using our implementation that combines an automatic 
search for CoB transformations with polyhedral invariant generation for continuous, discrete 
and hybrid systems 10, 1^, 37 1. 



2 Abstractions for ODEs 

We first present some preliminary definitions for continuous systems defined by Ordinary 
Differential Equations (ODEs). 
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2.1 Preliminaries: Continuous Systems 

Let M denote the field of real numbers. Let xi,. . . ,Xn denote a set of variables, collectively 
represented as x. The set M[x] denotes the ring of multivariate polynomials over R. 

A power-product over x is of the form succinctly written as aT, wherein each 

Tj S N. The degree of a monomial xT is given by ri = 1 ■ r. A monomial is of the 

form c • m where c G M and m is a power-product. A multivariate polynomial p is a sum of 
finitely many monomial terms: p = XlrGiR" c^iT. The degree of a multivariate polynomial p 
is the maximum over the degrees of all monomial terms m that occur in p with a non-zero 
coefficient. 



We assume some basic familiarity with the basics of computational algebraic geometry 11 1 



and elementary linear algebra [17 1. 



Vector Fields: A vector field F over a manifold M C R" is a map F : M ^ from each 
X G M to a vector F[x) G M", wherein G Tm{x), the tangent space of M at x. 

A vector field F is continuous if the map F is continuous. A polynomial vector field 
F G (M[x])" is specified by a tuple F{x) = {pi{x),p2{x), . . . ,pn{x)), wherein pi, . . . ,pn G M[x]. 

A system of (coupled) ordinary differential equations (ODE) specifies the evolution of 
variables x : {xi, . . . , Xn) G M over time t: 

dx\ . dXfi 

— =Pl{xi,...,Xn), ■■■ , — =Pn{xi,...,Xn), 

The system implicitly defines a vector field F{x) : {pi{x), . . . ,pn{x)). We assume that all 
vector fields F considered in this paper are (locally) Lipschitz continuous over the domain M. 
In general, all polynomial vector fields are locally Lipschitz continuous, but not necessarily 
globally Lipschitz continuous over an unbounded domain X. The Lipschitz continuity of the 
vector field F, ensures that given x = xq, there exists a time T > and a unique time 
trajectory r : [0,T) ^ M" such that r(t) = fo 0- 

Definition 2.1. For a vector field F : (/i, . . . , fm), the Lie derivative of a smooth function 
f{x) is given by 



£.(/) = (V/).F(f)=X:(^./.) 

i=l 



Henceforth, wherever the vector field F is clear from the context, we will drop subscripts 
and use C{p) to denote the Lie derivative of p w.r.t F. 

Definition 2.2. A continuous system over variables xi, . . . ,Xn consists of a tuple S : {Xq,J^, Xi) 
wherein Xq C is the set of initial states, T is a vector field over the domain represented 
by a manifold Xj C M"-. 

Note that in the context of hybrid systems, the set Xi is often referred to as the state 
invariant or the domain manifold. 

2.2 Change-of-Bases for Continuous Systems 

In this section, we will present change-of-bases (CoB) transformations of continuous systems 
and some of their properties. 
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Consider a map a : i— )• Given a set S" C M'^, let a{S) denote the set obtained 
by applying a to all the elements of S. Likewise, the inverse map over sets is a~^(T) : 
{s I a{s) £ T}. Let S : {Xq,J^,Xj) be a continuous system over variables x : 
and T : {Yq, Q, Yf) be a continuous system over variables y : {yi, . . . ,y„ 



Definition 2.3. We say that T simulates S iff there exists a smooth mapping a : i— )■ M"* 
such that 

1. Yq D a(Xo) and Yj D a{Xi). 

2. For any trajectory r : [0, T) i— )• Xj of S, aor is a trajectory ofT. 

A simulation relation implies that any time trajectory of S can be mapped to a trajectory 
of T through a. However, since a need not be invertible, the converse need not hold. Le, T 
may exhibit time trajectories that are not mapped onto by any trajectory in S. 

Let S and T be defined by Lipschitz continuous vector fields. The following theorem 
enables us to check given S and T, if T simulates S. 

Theorem 2.1. T simulates S if the following conditions hold: 

1. yo5a(Xo). 

2. Yj D a{Xi). 

3. Q{a{x)) = Ja-J^ix), wherein, is the Jacohian matrix 



Ja{,X\ , . . . , Xfi) 



dai _ _ _ 9a 1 

(9X1 dxn 



dam da 
- dxi dXn 



and a{x) = (ai(x), • • • , am{x)), Oi : W" i— )• M. 
Proof. Let be a trajectory over x for system S. Note that at any time instant t G [0, i), 

We wish to show that Ty{t) = a{Tx{t)) is a time trajectory for the system T. Since, 
Tx{0) € we conclude that Ty{0) = a{Tx{0)) G Yq. Since Tx{t) £ Xj for all t £ [0,T), we 
have that Ty{t) = a{Tx{t)) G Yj. Differentiating Ty we get, 

dTy_ _ da{Tx{t)) — T iL2L — T T(-t 

dt ~ dt ~ dt ~ •^o? •'\'x\i')) 

= GiaiTxit))) = Giryit)). 

Therefore Ty = aoTx conforms to the dynamics of T. By Lipschitz continuity of ^, we obtain 
that Ty is the unique trajectory starting from a o r(0). □ 

Theorem 12.11 shows that the condition 

G{a{x)) = Ja.F{x) 

relating vector fields J- and Q suffices to guarantee that time trajectories (integral curves) of 
T are related to those in Q through the map a. In differential geometric terms, this condition 
can be stated as F is a-related to Q j2o| . 

Note that, in general, a trajectory Ty{t) = a{Tx{t)) may exist for a longer interval of time 
than the interval [0, T) over which Tx is assumed to be defined. 
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Theorem 2.2. Let T simulate S through a map a. IfYCYjisa positive invariant set for 
T then a~^{Y) n Xj is a positive invariant set for S. 

Proof Assuming otherwise, let Tx be a time trajectory that starts from inside a^^{Y) n Xj 
and has a time instant t such that Tx{t) a~^{Y) Pi Xj. Since we defined time trajectories 
so that Tx{t) £ Xj, it follows that r^(t) a^^{Y). As a result, a{Tx{t)) Y. Therefore, 
corresponding to t^, we define a new trajectory Ty = a o Tx which violates the positive 
invariance of Y . This leads to a contradiction. □ 

Let (p[y\ be an assertion representing an invariant of the system T that simulates S through 
CoB transformation a. The assertion ip[y i— )• a{x)\ obtained by substituting a{x) in place of 
occurrences of y is an invariant for the original system. In other words, inverting the map a 
simply boils down to substituting a{x) in the invariants of the abstract system. An application 
of the Theorem above is illustrated in Example ll.il 

Example 2.1. Consider a mechanical system S expressed in generalized position coordinates 
iQi:Q2) Oind momenta (pi,P2) defined using the following vector field: 

F{pi,P2,qi,q2) ■■ { -2gig2, -'^qh^, 2pi, 2p2 ) 

with the initial conditions: ipi,P2) £ ^ 1] ^ iQiyQ2) '■ (2,2). Using the transfor- 

mation a{pi,p2,qi,q2) '■ Pi+ P2~^ qfqh '^^ ^^^^ ^ simulated by a linear system T over 
y, with dynamics given by^ = 0, y(0) G [16,18]. 

Incidentally, the form of the system T above indicates that a is an expression for a con- 
served quantity (in this case, the Hamiltonian) of the system. A 

The main goal of this work is to study CoB transformations that "simplify" the system's 
dynamics either (a) casting a non-algebraic vector field into one defined algebraically or (b) 
reducing the degree of a given algebraic vector field by means of an abstraction. A special 
case consists of linearizing CoB transformations that map a non-linear system to one defined 
by affine dynamics. 

Recall that a system T is algebraic if it is described by a polynomial vector field. Further- 
more, T is affine if it is described by an affine vector field ^ = Ay -\- b for an m x m matrix 
A and an m x 1 vector b. 

Definition 2.4. Let S be a (non-linear) system. We say that a is an algebraizing CoB 
transformation if it maps S to an algebraic system T. 

We say that a is a linearizing CoB transformation if it maps each trajectory of S to that 
of an affine system T . 

Example 2.2. Consider the vector field T 

^ = - 2x2 + xy, ^ = 2x - Sx^ + 2y^ . 
dt ^ ^ dt ^ 

Let a : (x,y) — >■ {wi,W2,W3,W4) be defined as 

a{x,y) : {x,y,x^,y^) 
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We can verify that using a, we note that T is simulated by the vector field Q: 

^ = WlWz - 2W3 +W4+ WlW2, ^ = 2wi - 3W3 + 2W2W4 

^ = -AwiW3 + 2wl + 2W2W3 + 2wiW4, ^ = AwiW2 - 6W2W3 + 4wl 

Note that while T is a cubic vector field over'M?, Q is a quadratic vector field over M^. ▲ 
Example 11.11 illustrates a linearizing CoB transformation. 

The above definition of an algebraizing or linearizing CoB seems useful, in practice, only if 
a and T are already known. We may then use known techniques for reasoning over algebraic 
systems or affine systems for safely bounding the reachable set of an affine system, given some 
initial conditions, and transform the result back through substitution to obtain a bound on 
the reachable set for S. 

We now present a technique that searches for a map a to obtain an algebraic system T 
that simulates a given system S through a such that the vector field describing T is degree 
bounded by a given degree limit d > 0. In particular, if the degree limit d is set to 1, then 
the resulting transformation a is linearizing. 

We ignore the initial condition and invariant, for the time being, and simply focus on 
obtaining the dynamics of T- In other words, we will search for a map a : (ai, . . . , Om) that 
maps W into so that 

Ja{x) • ^{x) = G{a{x)) . 

Having found such a map, we may find appropriate over-approximate initial and invariance 
conditions for the simulating system T, so that Definition 12.31 holds. Specifically, we are 
interested in finding transformations a that ensure that (a) G is a polynomial vector field and 
(b) the degrees of polynomials describing G are degree bounded by the degree limit d > 0. 

2.3 Multilinear Abstractions through Dimension Copying 

We first show that any polynomial system of ODEs can be abstracted by a multilinear system. 
However, doing so may require a to have many repeated components wherein ai{x) = aj{x) 
for i 7^ j. 

Definition 2.5. A polynomial p is defined to be multilinear if and only if each power-product 
in p is of the form x^^ x^2 ' ' ' ^n" wherein each ri = or 1. 

Example 2.3. As an example, the polynomial p = 2xiX2a;3+xiX3+4xi — 2x2 — 1 is multilinear. 
On the other hand, the polynomial q = 2x1 + xi + X3 is not, owing to the x^ power product. 

We first observe that any polynomial ODE may be equivalently written by means of a 
multilinear system using a suitably defined a. 

Theorem 2.3. Let T be a polynomial vector field over x G M". There is a transformation 
a : M" —7- M"^, that maps J- to a multilinear system Q . 

Proof. Let us write F{x) : (pi, . . . ,Pn) for multivariate polynomials pi, . . . We will assume 
that the vector field J- is not already multi-linear. Therefore, some pj has a power product 
that is divisible x^, for some r > 2. The idea is to use r different functions a^^i = 0(^,2 = • • • = 
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«fc,r = Xk SO that in the transformed system the term appears as a multihnear product 

yk,iyk,2 ■ ■ ■ yk,r- 

In the worst case, the transformation a involves n x K components, wherein 

K = max(degree(pi), . . . , degree(fi„)) . 

Each component Oj^fc : Xi is simply a "copy" of the variable Xi that ensures multilinearity of 
the transformed system. □ 

Example 2.4. Consider the one dimensional system defined by 

^ = 2x^ + + X - 5 . 
dt 

We use the transformation a : M — )• wherein ai(x) = a2{x) = ■ ■ ■ = a5(x) = x. Using this 
transformation, we derive an abstract system defined by the ODE 

dyj 

= ^ymysy^Vb + 3yi2/2 + yi - 5 , j = i, 2, . . . , 5. 

▲ 

Even though there are efficient algorithms for analyzing multi-linear systems [3] , the trans- 
formation in Theorem 12.31 faces two potential problems: (a) the dimensionality of the trans- 
formed system T can be as large as the dimensionality of the original system times the 
maximum degree of the polynomials in the RHS of the vector field, and (b) ignoring the 
implicit equality relationships between the various dimensions results in a very coarse ab- 
straction while taking them into account simply gives us the original system back (albeit in 
a different form). 



2.4 Independent Transformations 

The rest of this paper, will focus on independent transformations a : {ai, . . . ,ajsr) wherein 
each cannot be written as a linear combination of the remaining ajS for j ^ i. Assuming 
independence automatically rules out the constructions used in Theorem 12. 3i 

In general, computing independent transformations a for any given ODE is a hard problem. 
In this paper, we will focus on solutions that involve searching for an appropriate map a, 
wherein a is specified to be the linear combination of some fixed, finite set of basis functions 
gi, . . . , g^. The initial basis is assumed to be given to our algorithm by the user. Starting from 
this initial basis of functions, our algorithm searches for transformations a whose components 
can be written as linear combinations X^^Li ^j9j- 

The basis functions could be specified implicitly as the set of all power products over x of 
degree up to some limit > or the set of all power products involving the variables Xj and 
various non-algebraic functions sin(z), cos(2;) and applied to these power products. Having 
chosen a basis B = {gi, . . . , g^} for a, we will cast the search for the map a as a vector space 
iteration. 

Let a(x) : (ai(x), . . . , am{x)) be a smooth mapping a : M" i— )■ M™, wherein each ai : M" i— )• 
M. Recall that CF{cii{x)) = (Vctj) ■ F{x) denotes the Lie derivative of the function aj(x) w.r.t 
vector field F. 
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Lemma 2.1. • J^{x) 



CF{a2{x)) 



Proof. Recall the definition of the Jacobian matrix J^: 



Ja{.Xi, • • • , Xji) 



dyi 
dxi 



dym 



dyi 
dxn 



dym 
dxn 



Voir. 



Therefore, Ja-J^ 



( (Vai)-(^) \ / Ct\a^{x)) \ 
(Vas) • iT) C^Fioi^ix)) 

\ (Va^) • {T) J 



□ 



\ ^F{am{x)) J 



Note: For the rest of this section, we will fix a vector field T belonging to a system S as the 
original system for which we seek an abstraction. We will simply write £,{g) to denote the 
Lie-derivative of a given function g in place of Cpig)- 

2.5 Vector Space Closure 

We first define the vector spaces that will be used in our search. 

Definition 2.6. Let B = {(71, . . . ^g^} be some finite set of functions wherein gi : M" — t- 
for some fixed n,m > 0. The vector space spanned by G denoted Span{B) consists of all 
functions that are linear combinations of gi: 



Span{B) = \ ^ \gi I Aj G 



k i=l ) 

We assume, without loss of generality, that the elements in B are linearly independent. 
I.e., no gi ^ B can be written as a linear combination of the remaining gj G B, for j ^ i. 

Let 1 represent the constant function l{x) = 1 G W^. Given a vector space V = Span{B), 
we define the space of power products of 1^ up to a degree limit d > 1 as 

y(<='> = Span ({ffi, X gi^ X ■■■ X gi^ \ gi^,...,gi^ e BU {1}}) . 

In particular, note that F^^^ = Span{V U {1}). 

Example 2.5. Let B = {x,sin(y)} be our basis set. The vector space V : Span{B) is given 
by {aix + 02 sin(y) | ai, 02 G M}. The space V^"^^ is the set 

(oo + aix + 02 sin(y) + a^x sm{y) + a^x^ + 05 sin^(y) | oq, . . . , 05 G M} . 

This space is generated by the functions l,x,sin(y),xsin(y),x^,sin^(y). It consists of all 
polynomials of degree at most 2 formed by the functions x, sin(y). The purpose of adding the 
function 1 is to enable terms of degree 1 and to be considered. ▲ 
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Roughly, the main idea behind our approach is to find a vector space U that satisfies the 
following closure property: 

{\f feU) C{f) G U^''^ . 

In other words, we will search for a vector space U, such that taking the Lie derivative of 
any element of U yields an element in U^'^K Such a vector space U will be called d — closed. 
Let U = Span {{hi, . . . , hm}) be a d — closed vector space. We will prove that a : {hi, . . . , hm) 
maps the original system S to an algebraic system T with a vector field of degree at most d. 

Definition 2.7. A vector space V is said to be d — closed under the application of Lie 
derivatives iff {M f £ V) C{f) G V^'^'^ . 

In order to check whether a given space V = Span{B) is d — closed, it suffices to verify 
the property in Definition 12.71 for the elements in B. 

Lemma 2.2. A vector space U = Span {{hi, ... , hm}) be d — closed under Lie derivatives if 
and only if C{hi) G U^'^'^ for z G {1, . . . ,m}. 

Proof. If U is d — closed under Lie derivatives then by definition, the Lie derivatives of its 
basis elements hi should lie in U^'^h We will prove the reverse direction. Let U be such 
that for each basis element hi, we have C{hi) G f/^'^^. Any element of U can be written as 
/ = X]^=i ^j^j ^3 ^ ^- We have C{f) = X]j=i CLjC{hj). Since each C{hj) G U^'^\ we have 
that £(/) G U^'^\ This completes the proof. □ 

Next, we relate d — closed vector spaces to algebraizing CoB transformations. Let B = 
{hi, . . . , hm} and U = Span {B) be a d— closed vector space. Let a be the map from M" — )• 
defined as a : {hi, . . . , hm)- 

Theorem 2.4. The map a formed by the basis elements of a d— closed vector field is an 
algebraizing transformation from the original system S to a system T defined by a polynomial 
vector field of degree at most d. 

Proof. Since f7 is d — closed, we note that for each hi in the basis of U, we have £{hi) G U^'^ . 
In other words, we may write C{hi) as a linear combination of power products as shown below: 

K 

^{^i) '■ o,ijf^i,jA X X • • • X hij^d , wherein hij^k e B U {1} (1) 

We define the system T over variables yi,...,ym- We will use variable yi to correspond to 
hi{x). The dynamics are obtained as 

i=i 

by substituting the variable yj wherever the function hj occurs in Equation ([T]). Let G be the 
resulting vector field on y. It is easy to see that (a) G is a polynomial vector field and (b) of 
degree at most d. 

From Lemma [2Tl we note that JaF{x) = {C{hi), . . . , C{hm))- We verify that {C{hi), . . . , C{h 
G{hi{x), . . . , hm{x)). This is directly evident from the construction of G from Equation ([T]). 
Thus, the key condition (3) of Theorem 12.11 is seen to hold. By finding the right sets Yo,Yj 
given a, we take care of the remaining conditions as well. □ 
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Note: The trivial space V = Span{{0}) consisting of the constant function that maps all 
inputs to is always d— closed. This space yields a : (0) that maps all states x to the zero 
vector. As such, the map a is not very useful in practice for inferring invariants. 

Example 2.6. Consider the ODE from Example ] 1.1\ recalled below: 

^ = xy + 2x 

We claim that the vector space V generated by the set of functions {x,xy,xy'^} is 1— closed. 
To verify, we compute the Lie derivative of a function of the form cix + C2xy + c^xy"^ to obtain 

ci{xy + 2x) + C2(^xy^ + 9xy + x) + C3(16xy^ + 2xy) 

which is seen to belong to V^^'^ . As a result, we obtain the CoB abstraction a{x, y) : (x, xy, xy"^) 
that maps the vector field to an affine vector field (polynomial of degree 1 ). 
The abstract system over {'Wi,W2,W3) G has dynamics given by 

^ = 2WI+W2 



dt 2 ' 

dwg 

dt 



^ -- WW3 + 2W2 



The mapping between original and abstract system is given by 



wi I— )• X, I— ^ xy, ws I—)- xy^ . 



2.6 Finding Closed Vector Spaces 

We will now describe a search technique for finding a map a and the associated abstraction 
7~, such that the dynamics of T are described by polynomials with degree bound d. d = 1, 
the dynamics of 7" are affine. The inputs to our search procedure are 

1. The original system S described by a vector field J-", 

2. The degree limit d for the desired vector field T, and 

3. An initial basis Bq = {hi, . . . , hj^} of continuous and differentiable functions. We may 
regard the linear combination 

Cihi{x) + C2/l2(x) + . . . + CAr/lAr(x) , 

as an ansatz or a template for each component aj of the map a : (ai, . . . , am), that 
we are searching for. However, we do not fix the number of components m of the 
transformation a, apriori, or guarantee that a non-trivial a (with m > 0) can be found. 
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The initial basis Bq is often specified as consisting of all power products of the variables 
in X with a given degree limit M. This limit M is chosen independent of the limit d for the 
desired abstraction T. 

Our overall approach is to start with the initial vector space Vq : Span{BQ) and iteratively 
refine Vq to construct a sequence of vector spaces 

Vo^Vi^V2---^Vk = Vk+i = V* 

wherein, (1) Vj^i C Vj, for j £ [l,k — l], and (2) = Vk+i- The iterative scheme is designed 
to guarantee that the converged result V* is d— closed. If V* has a non-zero basis, then 
the basis elements of V* form the components of the map a and the abstraction T whose 
dynamics have the desired form. 

The main step of iteration is to derive Vi^i from Vi. This is performed as follows: 

V,+^ = {geV,\C{g)eVl'^. (2) 

In other words, V^+i retains those functions g £ Vi whose Lie derivatives also lie inside V-^"^ . 
Lemma 2.3. (1) Vi+i is a sub-space ofVi. (2) Vi, is d— closed iffVi = V^+i. 

Proof. We prove the two parts (1) and (2) as follows. 

(1) Since by Eq. ([2]), V^+i C Vi, it suffices to show that Fj+i is a vector space. Let 
9i-,----,9k £ Vi+i. We have that gi,...,gk G Vi. Furthermore, since Vi is a vector space, 
any linear combination g : Sj=i ^j9j ^ The lie derivative C{g) can be written as 

Y.j=i^j^i9j)- Since C{gj) E we have C{g) = E'=i A,X(<7,) G V^^^l Therefore, by 

definition g G T^+i as well. The linear combination of any finite subset of elements from V^+i 
also belongs to V^+i, proving that it is a sub-space of Vi. 

(2) If Vi = Vi+i, it is easy to check that Vi satisfies the definition of being d— closed. 
For the other direction, let us assume that Vi is d— closed. Then for each g £ Vi, we have 
C{g) G V-^"^ . Thus g G V^+i. This proves that V^+i ^ Vi. Combining with the fact that 
Vi+i ^ Vi, we obtain equality. □ 

We now focus on calculating V^+i from Vi. Let Vi : Span{Bi) for a finite set Bi. Any 
element of Vi can be represented as Ylkj^Bi '^j^j some multipliers Cj. The Lie derivative 
is expressed as Y^hj^Bi CjC{hj). The procedure for calculating Vj+i reduces to finding the set 
of multipliers (ci, . . . ,cm) where M = \Bi\ such that Ylhj&Bi CjC{hj) G vj^'^\ 

The key challenge lies in comparing two elements of the form J2j '^j^i^j) ^^^^ 'l2k'^k9k, 

for unknowns cj and d^, where hj G Bi and gj. G V-^^\ If both the functions are polynomials 
over X, the comparison is performed by equating the coefficients of corresponding monomials. 
This is illustrated using the example below: 

Example 2.7. Consider once again the ODE from Example li.il and \2.6l We seek to find 
an affine system T that abstracts this system. Let us consider the space Vq generated by the 
basis Bq : {x,y,xy,x'^ ,y'^} of all degree 2 monomials. Any element in Vq can be written as 

p{ci, . . . ,C5) : cix + C2y + csxy + c^x"^ + c^y'^ . 
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Its Lie derivative is given by 



ci{xy + 2x) + C2(-iy2 + 7^ + 1) + C3x{-^y^ + 7y + 1) 
+C3y{xy + 2x) + Ci{2x){xy + 2x) + C5(2?/)(-iy2 + 7y + 1) 



T/iis can be simplified as 



p'ici,. . . ,C5) : 



C2 + (2ci + C3)x + (7c2 + 2c5)y + (ci + 9c3)xy + 4:C4X^+ 
(14c5 - ^C2)?/2 + |c3xy2 + 2c4x2y - csy^ 



We require the Lie derivative to belong to V^^^ = Span{BQ{J {1}) . This yields the constraints: 

{3do,di,. . . ,d5) (V x,y) do + dix + d2y + d^xy + d^x^ + d^y"^ = p'(ci, . . . , C5) . 

We use the lemma that two polynomials are identical iff their coefficients on corresponding 
power-products are. This yields the following system of linear equations: 

C2 = do, 2ci + C3 = di, 7C2 + 2C5 = d2, Ci + 9C3 = (i3, 
4C4 = (i4, 14C5 — ^C2 = ^5, C3 = 0, 2C4 = 0, C5 = 

Eliminating do, ... ,^5, we obtain the constraints C3 = c^ = c^ = 0. T/ie neu; &asis Bi is 
{x,y}. ▲ 

On the other hand, if the basis Bi involves non-polynomials (trigonometric or exponential 
functions) , then encoding equality by matching up coefficients of syntactically identical terms 
is incomplete: I.e, not all solutions can be found by equating coefficients of matching terms. 
In general, deciding if two expressions involving trigonometric functions is identically zero 
is undecidable 0. In practice, we may continue to handle trigonometric functions using the 
same syntactic matching technique that is complete for polynomials. If a d— closed basis is 
discovered this way, then it may be used to derive a valid abstraction. On the other hand, the 
process may be unable to find a vector space starting from the initial set of functions even if 
one such exists. 

Example 2.8. Consider a simple example with the ODE 

dx dy 

- = sm(x + y), -^ = x + y. 

Consider the space V spanned by the basis 

B = {x, y, sin(x), sin(y), cos(a;), cos(y)} . 
Our goal is to check ifV is 3— closed. Any element ofV can be written as 
cix + C2y + C3 sin(2;) + C4 sin(y) + C5 cos(x) + cq cos(y) . 

Its Lie derivative can be written as 

c\ sin(x + y) + C2(x + y) + C3 cos(x) sin(x + y) + C4 cos(y)(x + y) 
— C5 sin(x) sin(x + y) — ce sin(y)(x + y) 



^ This follows from Richardson's theorem [27 
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Our goal is to check if the Lie derivative belongs to V^^^ . We note that a syntactic check 
for membership yields the constraints ci = C3 = C5 = 0. On the other hand, substituting the 
trigonometric identity 

sm{x + y) = sin x cos y + sin y cos x , 

we may indeed verify that the Lie derivative of any element ofV belongs to V^'^^ . This yields 
a degree 3 algebraization given bya{x,y) : (x, y, sin(x), sin(y), cos(x), cos(y)) with the abstract 
system having the dynamics 

+ W4W5 

Wi + W2 

WsW^Wq + w'^Wi 
WqWi + WqW2 
— w'^Wq — W^WiW^ 

—W4WI — W4W2 

Here wi, . . . ,wq correspond to the components of the map a above. A 

Theorem 2.5. Given an initial vector space Vq and vector field T , the iterative procedure 
using Eqn. ([2]) converges in finitely many steps to a subspace V* '^Vo- Let qi, . . . ,Qm be the 
basis functions that generate V* . 

1. The transformation a : (ai, . . . , am) generated by the basis functions of the final vector 
space leads to an abstract system whose dynamics are described by polynomials of degree 
at most d. 

2. For every CoB transformation (3 : (/3i, . . . , /3fc), wherein each /3j G Vq and (3 yields a 
polynomial abstraction of degree at most d, it follows that f3i G V* . 

Proof. Let us represent the iterative sequence as 

VoDViDV2--- 

The convergence of the iteration follows from the observation that if V^+i C Vi, the dimension 
of Vi+i is at least one less than that of Vi. Since Vq is finite dimensional, the number of 
iterations is upper bounded by the number of basis functions in Vq. 
Statement [J follows directly from Theorem 12.41 

Finally, us assume that a transformation /3 exists such that /3j € Vq. We note that the 
space U generated by 1, /3i, . . . , /3fc is a subset of Vq and is d— closed. We can now prove by 
induction that U QVi for each i. The base case is true since C/ C Vq. 

Next, we show that if C/ C then U C Vi-^^i. This follows from Eq. [2] since for each p G U, 
we have p G Vi and C{p) G U^'^K This gives us C{p) G V^"^ . Therefore, p € V^+i. 

As a result, we prove by induction that U Q Vi for each i. This also means that U C 
V*. □ 

Note that it is possible for the converged result V* to be trivial. I.e, it is generated by the 
constant function 1. 



dwi 

dt 
dw2 

dt 
dw3 

dt 
dwj 

dt 
dw5 

dt 
dwa 

dt 
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Example 2.9. Consider the Vanderpol oscillator whose dynamics are given by 

x = y, y = ii{y- ^y^ - x) . 

Our search for polynomials (fj, = 1) of degree up to 20 did not yield a non-trivial linearizing 
transformation. 

For a trivial system, the resulting affine system 7" is ^ = under the map a{x) = 0. 
Naturally, this situation is not quite interesting but will often result, depending on the system 
S and the initial basis chosen Vq. We now discuss common situations where the vector space 
V* obtained as the result is guaranteed to be non-trivial. 

2.7 Strong and Constant Scale Consecution 

The notion of "strong" consecution, "constant scale" consecution and "polynomial scale" con- 
secution were defined for equality invariants of differential equations in our previous work [s^ 
and subsequently expanded upon by Matringe et al. [i^] using the notion of morphisms. We 
now show that the techniques presented in this section can generalize strong and constant 
scale consecutions, ensuring that all the systems handled by the techniques presented in our 
previous work |38i] can be handled by the techniques here (but not vice- versa). 

Definition 2.8. A function f satisfies the strong scale consecution requirement for a vector 
field T iff Cpif) = 0. In other words, f is a conserved quantity. Similarly, f satisfies the 
constant scale consecution iff3X G M, JO-pif) = A/. 

The following theorem is a corollary of Theorem 12.51 and shows that the ideas presented in 
this section can capture the notion of strong and constant scale consecution without requiring 
quantifier elimination, solving an eigenvalue problem [ssl or finding roots of a univariate 
polynomial [j^ ]. 

Theorem 2.6. The result of the iteration V* starting from an initial space Vq contains all 
the strong and constant scale invariant functions in Vq. 

Proof. This is a direct consequence of Theorem 12.51 by noting that for a constant scale conse- 
cuting function /, the subspace U (^Vq spanned by / is closed under Lie derivatives. □ 

Furthermore, if such functions exist in Vq the result after convergence V* is guaranteed to 
be a non-trivial vector space (of positive dimension). Finally, constant scale and strong scale 
functions can be extracted by computing the affine equality invariants of the linear system T 
that can be extracted from V*. 

2.7.1 Stability 

We briefly address the issue of deducing stability (or instability) of a system S using an 
abstraction to a system T. Since a satisfles the identity 

Gia{x)) = Ja.F{x) . 
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Every equilibrium of S {J~{x) = 0) maps onto an equilibrium of T (Gix) = 0), but not vice- 
versa. Furthermore, the map a{x) = (0, . . . , 0) is an abstraction from any non-linear system 
to one with an equilibrium at origin. Therefore, unless restrictions are placed on a, we are 
unable to draw conclusions on liveness properties for S based on T. If a has a continuous 



inverse, then T is topologically diffeomorphic to S 23|]. This allows us to correlate equilibria 



of T with those of S. The preservation of stability under mappings of state variables has been 



studied by Vassilyev and Ul'yanov 41[. We are currently investigating restrictions that will 
allow us to draw conclusions about liveness properties of S from those of T. 

The issue of stability preserving maps between continuous and hybrid systems was recently 



addressed by the work of Prabhakar et al. [30(] 



2.8 Affine CoB Abstraction: Existence 

We will now focus on the special case of CoB transformations that lead to linear abstractions 
of the form ^ = Aw (and affine abstractions of the form ^ = Aw + b). 

Let 5 be a non-linear system over x that has a CoB transformation a : M" — )• with 
m > that maps to a linear system ^ = Aw. 

Lemma 2.4. The system S has m conserved quantities given by the components of the vector 
valued function e~^'^a{x). 

Proof. Our goal is to prove that the Lie derivative of each component of e~^^a{x) equals zero. 
Since a is a linearizing CoB, we have C{a{x)) = Aa{x). 
The Lie derivative of e~^^a{x) is given by 

e-*^£(a(x)) + dte-^^a{x) = e-^^Aa{x) - e-^^Aa{x) = . 

Thus we see that the Lie derivative of e~^^a{x) vanishes. Therefore, each component of 
e~*'^a(x) is a conserved quantity. □ 



Conversely, whenever the original system S has conserved quantities, it trivially admits 
the linearization ^ = using a transformation a that is formed by its conserved quantity. 

Theorem 2.7. A system S has an independent, linearizing CoB transformation a : i— )• M'" 
if and only if it has m linearly independent conserved quantities. 



The theorem extends to affine CoB transformations that yield abstract systems of the form 
^ = Aw + b. While conservative mechanical and electromagnetic systems naturally have 
conserved quantities (eg., conservation of momentum, energy, charge, mass), many systems 
encountered are dissipative. Such cases are handled by extending the approach presented here 



to differential inequality abstractions [34 1. 



Furthermore, even in a setting where conservative quantities exist, the advantages of 
searching for a CoB transformation as opposed to directly searching for a conserved quantity 
from an ansatz are not clear at a first glance. The advantage of the techniques presented here 
lies in the fact that existing techniques that search for conserved quantities focus for the most 
part on finding polynomial conserved quantities. Whereas, searching for a CoB transformation 
allows us to implicitly obtain conserved quantities that may involve exponentials, sines and 
cosines in addition to polynomial conserved quantities by focusing purely on reasoning with 
vector spaces generated by polynomials. 
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Example 2.10. We observed the following conserved quantity for the system in Example \l.l\ 



^ + TS2 (50 + 7^/5T) e(-9+v^)* + jfe (50 - 7^) e-(9+v^)*) x+ 



( 



( 7e9* 



J_„-9t-(9+V5T)t 
102^ 



51e 



9t 



14e(9+ 



51 t 



+ 



7g9t + ( - 9+ v^) t + ( 9+ V5T) i _^ 

V ^/5le^*+("^+^)*+(^+^)* 

_l_g-9t-(9+v^)t ^g9t _ 2g(9+V5T)t _^ g9t+(-9+V5T)i+(9+V5T)t 



This is one of the three conserved quantities obtained by computing e ^^a{x), where 

2 1 



a : (x, xy, xy"^) and A 



1 9 1 



2 16 

We are unaware of techniques that can directly generate such conserved quantities. A 

Finally, we conclude by noting that conserved quantities such as the one described above 
seem less useful for reasoning about the dynamics of the underlying system when compared 
to the CoB transformation and the resulting abstraction that gave rise to them. 



3 Abstractions for Discrete and Hybrid Systems 

In this section, we will discuss how the techniques of the previous sections can be extended 
to find CoB transformations of purely discrete programs. In particular, our focus will be 
on transforming loops in programs to infer abstractions that are of a simpler form. Our 
presentation will first focus on simple loops consisting of a single location. The combination 
of loops with multiple locations and continuous dynamics will be handled in the subsequent 
section. 



3.1 Transition System Models 

We will first define transition system models and the action of CoB transformations on these 
models. Let x £ X represent real valued system variables, where X C M". Transition systems 
will form our basic models for loops in programs 21 1. 

Definition 3.1. A transition system 11 is defined by a tuple {X,L,T,XQ,iQ), wherein, 

1. X CI M" represents the continuous state-space. We will denote the system variables by 
X G M". 

2. L denotes a finite set of locations. 

3. T represents a finite set of transitions. Each transition tj £ T is a tuple {ij,mj, Gj,Fj), 
where 

• ij £ L is the pre-location of the transition, and rrij G L is the post-location. 

• Gj C M" is the guard condition on the system variables x. 
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X 

L 
T 

Xo 

Gi 
Fi 



{x,y,k) 
{io} 

h: (4,4,Gi,Fi) 
t2-- (4,4,G2,F2) 
{{x, y,k) \ X = y = A > 0} 

{{x,y,k) \ y <k} 

X{x,y,k). {x + y^,y + l,k) 




G2 : {{x,y,k) \ y>k} 
F2 : X{x,y,k). {x,y,k) 



Figure 2: Transition system model for the loop in Example 11.21 



• Fj : R" —7- R*^ is the update function. 

4- Xq C X represents the possible set of initial values and Iq £ L represents the starting 
location. 

Example 3.1. Figure shows an example of a transition system derived from a simple 
program that computes the sum of the first k squares. The transition system consists of a 
single location £0, transitions ti : {io,£o,Gi, Fi) and t2 ■ {io,io,G2,F2). ▲ 

A state of the transition system is a tuple a : {i, x) where (. is the current location and 
X G X are the values of the continuous variables. 
A run is a finite or infinite sequence of states 

Co — ^ CTi — ^ • • • — > CJj — ^ CJj + l • • • , 

where each aj : {£j,Xj) is a state and tj a transition, satisfying the following conditions: 

1. The starting state (Jq : {£o,xq) is initial. I.e., io is the initial location of 11 and xq £ ^o- 

2. The state crj+i : is related to the state cjj : {ii,Xi) in the following way: 

(a) The transition tj G T is of the form {ii,£i^i,Gi, Fi), leading from £i to £i+i. 

(b) The valuation Xi of the continuous variables satisfy the guard Gi and the valuation 
Xj+i is obtained by executing the assignments in Fi on Xi: 

Xi G Gi and Xj+i = Fi{xi) . 

A special class of "simple loop" transition systems that have a single location are defined 
below. 

Definition 3.2. A transition system H is called a simple loop if it has a single location. I.e., 
L = {£}. All transitions of a simple loop are self-loops around this location i. 
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The transition system in Example 13.11 is a simple loop. It consists of a single location. In 
general, simple loops can have multiple transitions that "loop" around this single location. 

We will now discuss the pre-image operator fpre induced by a transition. Let g{x) be 
some function over the state variables and t : {i, m, G, F) be a transition. 

Definition 3.3. The functional pre-image FPRE(g,t) is defined as g{F{x)). 

Note: The standard precondition operator works over assertions over the state variables, 
involving computing the pre-image using F and computing the intersection of the result with 
the guard. The functional precondition defined here is defined over functions g{x) over the 
state variables. 

Example 3.2. Consider the transition 

t : {£, m, G, F), wherein G : {{x, y) \ x > y}, F : X{x, y). (x^, — x^)) . 

The functional pre-image of the function g(x, y) : x + y, denoted fpre(x + y,t), is given by 

fpre(x + y,t) : (x^) + (y^ - x"^) = . 

To contrast with the standard pre-condition operator, which applies to assertions over 
states, let us consider the assertion a; + y > 0. We have 

pre(x -\-y >0,t) : y^>0 A x >y . 

A 

We now show that fpre is a linear operator over functions. 

Lemma 3.1. For any transition t and functions gi,g2,g over x, we have FPRE(yi -\- g2,t) = 
FPRE(5ri,t) + FPRE{g2,t) and further, fpre(A5) = AFPRE(y) for any A G M. 

Proof. Proof follows by directly applying Def. 13.31 □ 

Let us consider any run of the transition system 

r : do (71 -)'•••-)' (Tj —> fjj+i • • • . 

Let ti : Gj, Fj) denote the transition between ctj : {ii,Xi) and Uj+i : 

Finally, let g{x) be any function over the state variables of the transition system. 

Lemma 3.2. The following identity holds for all successive pairs of states {ii,Xi) 
encountered in a run of the transition system and for all functions g{x): 

Y¥KE.{g,ti){xi) = g{xi+i) 

Proof. We may write ¥¥KE{g,ti){xi) = g{F{xi)). We know that Xj+i = F{xi). Therefore, 
g{xi+i) = g{F{xi)) = fpre(5, ti){xi). □ 

We will now discuss change-of-basis abstractions for transition systems. The discussion 
will focus on defining change-of-basis abstractions for simple loops, which are represented by 
a transition system with a single location I (Cf. Definition 13.20 . The subsequent sections will 
extend this concept to arbitrary transition systems. 



21 



3.2 CoB Abstractions For Simple Loops 

Consider a simple loop 11 over x £ M" with a single location i, transitions {ti, . . . ,tk}, and 
initial condition Xq. We seek to abstract 11 with another simple loop H over y G M' with a 
single location m, transitions {t'l, . . . and initial condition Yq. 

Definition 3.4. Simple loop 3 is a CoB abstraction of 11 ijf there is a continuous function 
a : M" such that 

1. The initial condition Yq ^ a{XQ), 

2. For each transition tj : (£, Gi,Fi) in H, there is a corresponding transition t[ : (m, m, F[) 
in H such that 

(a) G\ D a{Gi), 

(b) y X Fl{a{x)) = a{Fi{x)). 

We will now present an example of CoB abstraction for simple loops. 

Example 3.3. Consider the simple loop from Example \3.1\ (also Fig.\^. We note that the 
map 

a : M'^ — )• M^, where a = X{x,y,k).{x,y,k,y'^) , 

yields an abstract transition system H over variables w : {wi,W2,W3,W4). Informally, the 
variables {wi,W2,W3,Wi) are place holders for the expressions {x,y,k,y'^), respectively. The 
resulting transition system H is 



w 






L 


{m} 




T 


W: 


{m,m,G[,Fi),t'^ : (m, m, G'2, F^)} 


Xo 


VUl = 


W2 = = A W3 > 1 


G[ 


{w 


W2 < W3} 


G', 


{w 


W2 > W3} 


F[ 


A w. 


{Wi + W4,, W2 + 1, W3,W4 + 2W2 + 1) 


F2 


A w. 


W 



The various requirements laid out in Definition \3.4\ can be easily verified. We will verify the 
requirement for F[: F[{a{x, y, k)) = a{Fi{x, y, k)), as follows: 

F{{aix,y,k)) = F[{x,y,k,y^) = {x + y^^, y + 1 , Jc^, f + 2y + 1) 

W1+W4 W2 + I ""3 «)4+2tU2 + l 

= a{x + y^,y + l,k) = a{Fi{x,y,k)) 

A 

The definition of CoB abstraction immediately admits the following key theorem. 
Theorem 3.1. For any run 

do : {i, Xo) % (i, xi) ^ {£, X2) ^ ■■■ 
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the corresponding sequence of Estates 



t' t' t' 

70 : (m,a(xo)) A (m,a(xi)) -i> (m,a(x2)) ^ 



is a ran o/ H. 



Proof. Proof uses the property that whenever the move {i,Xj) {£,Xj^i) is enabled in 11 

^ t'. 

then the move {m,a{xj)) — (m,a(xj+i)) is enabled in E. 

Let tj be described by the guard Gj and the functional update Fj. Likewise, let t'j be 
described by G'j and Fj. We note that a{Gj) C G'j. Since Xj satisfies the guard of tj, a{xj) 
satisfies that of t'j. The state obtained after the transition is given by 

F'{a{xj)) = a{F{xj)) = a{xjj^i) . 

We have proved that whenever the move {l,Xj) {i,Xj^i) is possible in n then the 

move {m,a{xj)) — > {m,a{xj^i)) is possible in H. The rest of the proof extends this to trace 
containment through induction over prefixes of the traces. □ 

As a direct consequence, we may state a theorem that corresponds to Theorem 12.21 for the 
case of vector fields. 

Theorem 3.2. Let [[ip]] be an invariant set for the abstract system E. Then, Q;~^ ([[</?]]) is an 
invariant of the original system H. 

Proof First, we note from Theorem 13.11 that if {£,x) is reachable in 11 then (m,a(x)) is 
reachable in E. Since ip is an invariant for E, we have {m,a{x)) G [[f]]- Therefore for any 
reachable state {£,x) in H, we have {£,x) G a~^([[93]]). Thus a~^([[(/3]]) is an invariant set for 

n. □ 

Given an invariant {p[y] for E in the form of an assertion, the invariants for the original 
system are obtained simply by substituting a{x) in the place of y in ip. 

Example 3.4. Consider the transition system H from Example and its abstraction E 
in Example \3.3l We note that E has affine guards and updates. Therefore, we may use a 



standard polyhedral analysis tool to compute invariants over E flU . lla . \3aj . Some of the 
invariants obtained include 

12>W4, < 9wi + 2^102 A 7w4 < 6wi + llii;2 A Awi + 7w2 — 7wi + llw^ > 11 
2wi + 3w2 — 3w4, + Aw^ > 4 A W4 < 2wi + W2 A 3w4 < wi + 12w2 
9 — wi — 3w2 + 3wi — 9w3 <0 A W2 > A l<tt;3 A u;2 — 'u;3<0 

By substituting wi ^ x,W2 ^ y, W3 ^ k,W4 ^ y^ on these invariants, we conclude invariants 
for the original system. For instance, we conclude facts such as 

13y^ -2Ay-9x>0 A - lly - 6x > A Ilk - + 7y + 4x > 11 . 
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The goal, once again, is to find an abstraction a and an abstract system H starting from 
a description of the system 11. Furthermore, we require that the update functions Fj in H are 
all polynomials whose degrees are smaller than some given limit d > 0. In particular, if we 
set d = 1, we are effectively requiring all the updates in H to be affine functions over y. 

Our strategy will be to find a map a : M" — t- M^'. For convenience, we will write a as 
(ai,...,afc), wherein each component function aj : M" — t- M. Let V be the vector space 
spanned by the components of a, i.e, V = Span{{ai, . . . ,afc}). Our goal will be to ensure 
that for each transition t in 11 and for each Oj, 

V f, FPKE{ai{x),t) G . (3) 

Let y be a vector space that satisfies Eq. ([3]) for each transition t in H. We will say that 
the space V is d-closed w.r.t H. 

Theorem 3.3. LetV : Span{gi, . . . , gi^) be d-closed w.r.tH for continuous functions gi, gk- 
The map a : {gi, . . . , g/.) is a CoB transformation defining an abstract system H, wherein each 
transition of H has a polynomial update function involving polynomials of degree at most d. 

Proof. We construct the abstract system H with variables wi, . . . ,Wk representing the func- 
tions gi, . . . ,gi: that are the components of a. H has a single location m and for each transition 
ti E n, we construct a corresponding transition E H as follows. 

Let Gi,Fi be the guard set and update function for ti, respectively. The guard set for t[ 
is given by a{Gi) or an over-approximation thereof. Likewise, the update F/ for is derived 
as follows. We note that 

FPRE{gj,ti) = ^Cr^,r2,...,ru9792 ' ' ' 9k\ 
r 

wherein Q < ri + r2 + ■ ■ ■ + rk < d. The corresponding update for Wj in the abstract system 
is given by 

r 

Note that each function Fl{wj) is a polynomial of degree at most d over wi, . . . ,Wk- □ 

Since the operator fpre used to define the closure in Eq. ([3]) is a linear operator (Cf. 
Lemma l3.ip . we may check the closure property for a given vector space V by checking if its 
basis functions satisfy the property. 

Lemma 3.3. The vector space V : Span{{gi, . . . , g^.}) is d-closed w.r.t H iff for each basis 
element gi ofV, and for each transition t in U, FPRE(gi,t) E V^^'^ . 

Proof. For the non-trivial direction, let y be a space where for each basis element gi of V, and 
for each transition t in n, FPRE(gj,t) E V^'^K An arbitrary element g GV can be written as a 
linear combination of its basis elements: g = ^j9j- We have FPRE((5r, t) = XjFPRE{gj,t) 
from Lemma 13. 1[ Since FPRE{g j,t) E V^'^\ which is a vector space itself, we have that 
FPRE{g,t) is a linear combination of elements in V^^'^ and thus FPRE{g,t) E V^'^'^ . Thus V is 
d-closed. □ 
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Example 3.5. Once again, consider the system U in Example \3 . 1\ and the map a : (x, y, k, y^) 
from Example \3.S[. The components of this map are the functions ai : x, 02 : y, as : and 04 : 
y^. We may verify that the vector space V : Span{{x,y,k,y'^}) satisfies the closure property 
in Eq. ([3|) for d = 1. The table below shows the results of applying fpre on each of the basis 
elements. 



Basis function gj 


FPRE{gj,ti) 


FPRE(gj,t2) 


X 


X + y'^ 


X 


y 


y + i 


y 


k 


k 


k 




y2 + 2y + 1 


y' 



Thus, FPRE{gj,tk) belongs to V^'^^ = Spandl, x, y, A;, y^}). ▲ 



Searching for Abstractions: The procedure for finding abstractions is identical to that used 
for vector fields with the caveat that closure under Lie-derivative is replaced by closure under 
FPRE(-,tj) for every transition tj in the system. The procedure takes as input an initial basis 
of functions Bq and iteratively refines the vector space Vi : Span{Bi) by removing all the 
functions that do not satisfy the closure property. 

Example 3.6. Consider the system 11 in Example \3.1\ and the initial basis consisting of all 
monomials of degree at most 2 over variables x, y, k. We obtain the basis Bq : {x, y, k, x^, y^, k'^,xy, yk, xk} 
and the space Vq : Span(Bo). An element ofVo can be written as 

cix + C2y + csk + C4X^ + csy^ + c^k"^ 
+C'rxy + csyk + cgxk . 

We consider the transition ti with update Fi : A(x, y, fc).(x + y^,y + l,k). Transition t2 is 
ignored as its update is simply the identity relation. We have fpre(p, ti) as 



fpre(p, ti 



(C2 + C5) + (Ci + C7)x + (C2 + 2c5)y + (C3 + Cs)k + C4X^ + 

(ci + C5 + C7)y2 + cefc^ + cjxy + cjy^ + c^y^ + 2c4xy2+ 
csyk + cgxk + cgy'^k 



The "overflow" terms cjy'^, c^y^, cgy'^k immediately yield the constraints C4 



C7 



eg = 0. 



The refined basis is Bi : {x, y, k, y^, k^,yk}. The iterative process converges with Vi : Span{Bi) 
yielding a linearization. ▲ 



3.3 Abstractions for General Transition Systems 

Thus far, we have presented CoB abstractions for simple loops consisting of a single location. 
The ideas seamlessly extend to systems with multiple locations with a few generalizations 
that will be described in this section. 

Let n be a system with a set of locations L = {ii, . . . and transitions T. We will 
assume that \L\ > 2 so that the system is no longer a simple loop. The main idea behind 
change of basis (CoB) transformations for systems with multiple locations is to allow a different 
map for each location. In other words, the abstraction is defined by a maps a^(x) for each 
location i £ L. 
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int X , y , z ; ^ 

// .. initialize.. ^ 

while (x + y - z <= 100) { *2 

(x,y):=( X + z * (x - y) , *3 

y + z * (y - x) ) ; 

// x,y,z unmodified here p 

(x,y,z) := (z+1 , ^ 

x+y -1 , G2 
z+x+y -1 ); 



L 
T 



{tl,t2,t3} ^ 

(£2,^1,^2,^2) ^ ^ 
(£1,^3,^3,^3) 

{(x, y, z) I X + y — z < 100} 
(x + — zy, y + zy — zx, z) 

1? 

(z + 1, x + y- 1, z + x + y- 1) 
{(x, y, z) I X + y — z > 100} 



{^1,^2,^3} 




G3 



Figure 3: An example program fragment with multiple locations and its transition system. 

The maps for two different locations l\ and I2 are of the type a^^ : — )• M"*^ and 
0^2 • ~^ M"^'^. In general, we may assume that mi 7^ m2. This discrepancy can be 
remedied by padding each ai- with extra components that map to the constant function 0. 
While, this transformation violates the linear independence requirement between the various 
components in q, it makes the resulting abstract system easier to describe. Without loss of 
generality, we assume that all the maps ai for each £ £ L are of the form : M" — )• for 
a fixed m > 0. 

Definition 3.5. A system 3 is a CoB abstraction o/II through a collection of maps ai^, . . . , ai^, 
each of the type M" — t- M™", corresponding to locations £1, . . . ,ik, iff 

1. H has locations mj corresponding to £j G L for 1 < j < k , and transitions t[ corre- 
sponding to transition ti G T. 

2. For each transition ti : (£pre, £posi, Gi,Fi) in 11, the corresponding transition t[ : {rupre, ^post, G[,Fl) 
is such that 

(a) nipre and nipost correspond to £pre and £post, respectively, 



(b) Gpav.lG,), 

(c) (V x) Fliae^^Jx)) = apostiFiix)) . 




ail ■ iz^,yz,xz,z,y^,xy,y,x^,x) 

: (z^, yz + xz, z, y, y^ + 2xy + x^, X, 0, 0, 0) 
a^3 ■ {z'^,yz,xz,z,y^,xy,y,x'^,x) 



The transformation yields an abstraction H of the original system. The abstract system has 
9 variables vuq, . . . ,ws- The structure of H mirrors that of H with three locations mi , m2 , m.3 
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corresponding to ii, 12,^3, respectively and three transitions t'^^t^ andt'^ corresponding to ti,t2 
and t^ in n. The guards and updates of the transition t\ are 

G'l : {{wo, . . . , ws) I W8 + wq-W3< 100}, 

F[ : {wo,Wi+W2,W3,Wi-W2 + WQ,W4 + 2w5+W7,-Wi+W2 + Ws, 0,0,0) 

We verify the key condition that ensures that t\ is an abstraction of ti : 

ae^{Fi{x,y,z)) = F[{ai^{x,y, z)) . 
The LHS a£^{Fi{x, y,z)) = a£,^{x + zx — zy, y + zy — zx, z) is given by 

{z^ , zx + zy, z,y + zy — zx, x^ + 2xy + ,x + zx — zy, 0, 0, 0) . 
The RHS F[{ae-^ {x, y, z)) = F[{z'^,yz, xz, z, y^ ,xy, y, x'^,x) is given by 

[z^ ,xz + yz, z,y — zx + zy, y^ + 2xy + ,x + zx — zy, 0, 0, 0) . 
The identity of LHS and RHS is thus verified. A 

Our goal once again is to search of a collection of transformations «£, for each i ^ L such 
that the resulting system is described by polynomial updates of degree at most d. The case 
where d = 1 corresponds to affine updates. Once again, we generalize the notion of a d— closed 
vector space. Consider a collection of vector spaces Vi : Span{B() for each location £ £ L. 

Definition 3.6. We say that the collection Ve,£ £ L is d— closed for transition system 11 if 
and only if for each transition tj : {ipr e, 'Impost, G j, Fj) and for each element p G Vpost, we have 

FPRE(p,tj) G V^rl. 

The notion of d— closed vector spaces can be related to CoB transformations and resulting 
abstractions whose updates are defined by means of polynomials of degree at most d. 

Theorem 3.4. Let Ve,i £ L be a collection of vector spaces that are d— closed for a system 
n. The basis elements of Vi yields a collection of maps an, i £ L that relate II to a CoB 
abstraction H. The update maps ofE are all polynomials of degree at most d. 

Example 3.8. Consider the transition system described in Example \3. 7| and Figure O We 
wish to discover an affine abstraction for this system automatically. Starting from the initial 
collection of vector spaces that maps each location to the space of all polynomials of degree at 
most 2 over x,y, z, we obtain the transformations ae^,a£^,a£^ described in the same example. 
This yields an abstract system over variables wq, . . . ,ws. 

3.4 Combining Discrete and Continuous Systems 

As a final step, we extend our approach to hybrid systems that combine discrete and contin- 
uous dynamics. We define hybrid systems briefly and extend the results from Sections [2] and 
[3] to address hybrid systems. 

Definition 3.7. A hybrid system consists of a discrete transition system 11 : {X, L,T, Xq,£q) 
and a mapping that associates each location ii £ L with a continuous subsystem Si : {Fi,Xi) 
over the state-space X, consisting of a vector field Ti and location invariant Xi. 
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A state a of the hybrid system consists of a tuple x, T) where ^ G L is the current 
location, valuations to the continuous variables x ^ X and the current time T > 0. 

Given a time 5 > 0, we write (£, x, T) (£, y,T + 5) to denote that starting from 

5 

state X, T) the hybrid system /Zoiws continuously according to the continuous subsystem Si 

corresponding to the location L Likewise, we write {i,x,T) {i',x',T) to denote a jump 
between two states upon taking a discrete transition tj from i to i' . Note that no time elapses 
upon taking a jump. 

A run R of the hybrid system is given by a countable sequence of alternating flows (evo- 
lution according to the ODE inside a location) and jumps (discrete transition to a different 
location) starting from an initial state: 





To avoid Zenoness, we require that the summation of the dwell times in the individual 



We now define CoB abstractions for hybrid systems. Our definitions simply combine 
aspects of the definition for transition systems 13.51 and continuous systems 12.31 

A CoB abstraction of the hybrid system is obtained through a collection of maps , • • • , Oii,. 
corresponding to the locations £i, . . . of the hybrid system. It is assumed that by padding 
with Os, we obtain each a^. as a function M"' — >■ W^. 

Definition 3.8. A system E is a CoB abstraction of II through a collection of maps a^^, . . . , a^^. 
each of the type M" — )• M™, corresponding to locations £i, . . . ,1^, iff 

1. S has locations ruj corresponding to ij G L for 1 < j < k , and transitions t[ cor- 
responding to transition ti G T. Each location mj in H has an associated continuous 



2. For each corresponding location pair ij , mj , the system Tj is a CoB abstraction of Sj 
through the transformation a^.. 

3. For each transition t-i : {ipre-, (-post-, Gi,Fi) in II, the corresponding transition t[ : {nipre, rupost, G 
are such that 



Once again, we focus on searching for an abstraction H of a given hybrid system wherein 
the continuous abstraction for each location and that of each transition is expressed by means 
of polynomials degree bounded by some fixed bound d. The case where the bound is d = 1 
specifies an affine hybrid abstraction H. We translate this into a d— closure condition for 
vector spaces. Consider a collection of vector spaces Ve : Span{Bi) for each location £ £ L. 

Definition 3.9. We say that the collection Vi,£ £ L is d— closed for hybrid system H if and 
only if 




modes Yl'jLo diverges. 



system Tj ■ 
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1. For each location i £ L, the corresponding vector space Vi is d-closed w.r.t to the vector 
field Ti for the continuous subsystem Si. 

2. For each transition tj : {(-preApost-,Gj-,Fj) and for each element p G Vpost, we have 

FPRE(p,tj) G V^l. 

Once again, the approach for finding a d-cfosed cohection V^, ^ E L starts from an initial 
basis vf^'^ at each location £ and refines the basis. Two types of refinements are applied (a) 
refinement of Vg to enforce closure w.r.t the Lie derivative of its basis elements for the vector 
field Ti and (b) refinement of Vm w.r.t a transition t : {I, m, G, F) incoming at location m. 



4 Implementation and Evaluation 

We have implemented the ideas described in this paper to derive affine abstractions for (a) 
continuous systems described by ODEs with polynomial right-hand sides, (b) discrete systems 
with assignments that have polynomial RHS and (b) hybrid systems with polynomial ODEs 
and discrete transition updates. Our approach takes as inputs the system description, a degree 
limit A; > that is used to construct the initial basis. Starting from this initial basis, our 
approach iteratively applies refinement until convergence. Upon convergence, we print the 
basis inferred along with the resulting abstraction. 

Currently, our implementation does not abstract the guard sets of the transitions and 
the invariant sets of the ODEs. However, once the basis is inferred, the abstractions for 
the guards of the transition and mode invariants are obtained using quantifier elimination 
techniques (which is quite expensive in practice) 0, @, or optimization techniques such 
as Linear programming or SOS programming [2g|. Our implementation currently relies on 
manual translation of invariant and guard assertions into the new basis to form the abstract 
transition system. 

If a non-trivial abstraction is discovered by our iterative scheme, we may use a linear 
invariant generator on the resulting affine system to infer invariants that relate to the original 
transition system. 

Our implementation and the benchmarks used in the evaluation presented in this section 
may be obtained upon request. 

4.1 Continuous Systems 

We first describe experimental results obtained for continuous systems described by ODEs. 
Figure H] summarizes the results on continuous system benchmarks. We collected nearly 15 
benchmark systems and ran our implementation to search for a linearizing CoB transforma- 
tion. We report on the degree of the monomials in the initial basis, time taken to converge 
and the number of polynomials in the final basis that form the transformation to the abstract 
system. 

Trivial Transformations Found: Some of the benchmarks attempted resulted in trivial final 
transformations. Examples include the well-known Fitzhugh-Nagumo neuron model, the van- 
derpol oscillators and similar small but complex systems that are known to be non-integrable. 
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We now highlight some of the interesting results, while summarizing all benchmarks in 
Table H 

Toda Lattice with Boundary Particles: The Toda lattice models an infinite array of point 
particles such that the position and velocity of the n^^ particle are affected by its neighbors 
the (n— 1)*'* and (n + 1)*'^ particle for n G zH. We consider a finite version of this lattice with 
2 fixed boundary particles that are constrained to have a fixed position and zero velocity and 
K particles in the middle. The dynamics for K = 2 non-fixed particles are given by position 
variables yi,y2, velocities ^1,^2 and extra state variables ui,U2 to model the interaction with 
neighbors. 

^ = ^1 ^ = Mm-U2) ^ = -V, 

1? = -2 ^ = -2U2 ^ = V,-V2 

In addition, we add time t as a variable to the model with dynamics ^ = 1. Our approach 
initialized with polynomials of degree 2 discovers a basis with 10 polynomials: 



—2v2 — 2vi — U2 + 2xiUi + X2, 

—2v2 — 2vi — U2 + U1U2 + X2U1 + X1U2 + xiui + X1X2 
-2v2 - 2vi + 2uiU2 + 2x2U2 + 2x2^1 + X2, W4,: ni + xi, 
2t;2 + 2vi + nf + u^, wq : U2 + X2 - xi, wj : t, 

Uit + Xit, Wg : U2t + Uit ->r X2t, WiQ : t^ 

The resulting abstract system has linear dynamics given by: 



Wl 
W2 

W3 
W5 

W8 



dWj r, 1 . . / c 1 dws dwg dwiQ „ 

Results for larger instances are reported in Tabled! 

Quadratic Fermi- Pasta-Ulam-T sing ou System: Consider a system considered by Fermi et 



al. ij]. The system consists of a chain of particles at positions xi, . . . , x^r with fixed boundary 

lamics are given by 

Xi+i + Xi-i - 2xi) + a((xf_^i - xf) - {xi - Xi^if) , l<i<N 



particles xq = and Xjv+i = N + 1. The dynamics are given by 

d'^Xi 



df^ 

We consider an instantiation with = 3, searching for CoB transformations with an initial 
basis of monomials of degree up to 4. We obtain a transformation representing a conserved 
quantity 

\{vl +vl+ vl) + xl + xl + xl- 3x3(1 + 3a - 0x3) 
-X2X3(1 + ax3 - 0x2) - xiX2(l + ax2 - axi) 

The abstract system is given by = 0. 

Two Mass Spring System: Consider the dynamics of two masses connected by a spring to 
each other and to two fixed walls. The state variables are (xi, X2, fi, ^2) indicating the position 
and velocity of the masses while the spring constant A; is a parameter. The dynamics are given 

by 

^ = ^1 ^ = ^2 

^ = A;x2-2A;xi ^ = k{xi - X2) 



^See description by Goktas and Hereman Il5| and references therein. 
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Our procedure yields a change of basis transformation 

wi : V2+vf + — 2kxiX2 + W2 ■ viV2 — -vf — -kx2 + 2kxiX2 — ^kxf 

Both 'Wi,'W2 represent conserved quantities, yielding the abstraction 

dwi _ dw2 _ Q 
dt dt 

Biochemical reaction network: We consider a biochemical reaction network benchmark from 
Dang et al. The ODE along with the values are parameters in our model coincide with 
those used by Dang et al. The ODE consists of 12 variables and roughly 14 parameters. Our 
search for degree bound < 3 discovers a transformation generated by five basis functions (in 
roughly 3 seconds). 

Collision Avoidance We consider the algebraic abstraction of the roundabout mode of a 
collision avoidance system analyzed recently by Platzer et al. [3] and earlier by Tomlin 
et al. (4(3]. The two airplane collision avoidance system consists of the variables {xi,X2) 
denoting the position of the first aircraft, (2/1,^2) for the second aircraft, (^1,^2) representing 
the velocity vector for aircraft 1 and (61,62) for aircraft 2. uj,9 abstract the trigonometric 
terms. In addition, the parameters a,b,ri,r2 are also represented as system variables. The 
dynamics are modeled by the following differential equations: 

x'l = di X2 = d2 d'l = —ujd2 d'2 = ojdi 
y'l = ei y'2 = 62 e'l = -6*62 e'2 = 9ei 
a' = b' = r[=0 r'2 = 

A search for transformations of degree 2 yields a closed vector space with 27 basis functions 
within 0.2 seconds. The basis functions include a,b,ri,r2 and all degree two terms involving 
these. Removing these from the basis, gives us 14 basis functions that yield a transformation 
to a 14 dimensional affine ODE. 



4.2 Discrete Systems 

We now describe experimental results on some discrete programs. We used a set of bench- 
mark programs that require non-linear invariants to prove correctness compiled by Enric 
Carbonell Q Our evaluation focuses on a subset of benchmarks that have non-linear assign- 
ments or guards in them. The methods presented here converge in a single step with the 
initial basis whenever the program being considered already has affine updates. 

Fermat Factorization: Figure [S] shows a program for finding a factor of a number near 
its square root taken from a book by Bressoud |5|. Our analysis initialized with monomials 
of degree up to 2 over the program variables yields a final basis consisting of 17 polynomials. 
The resulting affine system is analyzed by a polyhedral analyzer using abstract interpretation 
to yield invariants. Some of the invariants obtained at the loop head are shown in Figure [5l 
The equality invariant 

4r + v'^ -2v - + 2U + 4N = 

is obtained at locations 1,2 and 3 in the program. This forms a key part of the program's 
partial correctness proof. 

^The benchmark instances are available on-line at|http: //www.lsi .upc ■edu/~erodri/webpage/polynomial_invariants/list .hi 
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Figure 4: Experimental evaluation results on non linear polynomial ODE benchmarks at a 
glance. Legend: #V denotes number of system variables -|- parameters, Deg.: max. degree 
of the RHS, #B0: degree limit for monomials in the initial basis, Time: timing in seconds, 
:^B*: number of elements in the final basis, f: some elements of the basis involving just the 
parameters were discarded from the count and dnf: did not finish in 2hrs or out of memory 
crash. 

Product of Numbers: Consider the benchmark shown in Figure [6] that seeks to compute the 
product of its arguments x, y. Our approach initialized using degree 2 monomials computes an 
abstract system with 20 basis polynomials that in turn yields an affine transition system with 
20 variables. Figure [6] shows the invariants computed using polyhedral abstract interpretation. 
The invariant q — abp = cannot be established by our technique with degree 2 monomials. 
On the other hand, it can be established by considering degree 3 monomials in the initial basis. 
The resulting system however has 60 variables, making polyhedral analysis of the system as 
a whole hard. 

Geometric Summation: Consider the geometric summation program in Figure [71 Our 
approach computes a linearization with 5 variables in the abstract system. Polyhedral analysis 
of the resulting program yields the invariant (1 — r)s = a— p. This invariant together with the 
invariant p = ar^ (which cannot be obtained through algebraic reasoning) suffices to prove 
the partial correctness of the program. 

5 Conclusion and Future Directions 

Thus far, we have presented an approach that uses Change-Of-Bases transformation for infer- 
ring abstractions of continuous, discrete and hybrid systems. We have explored the theoreti- 
cal underpinnings of our approach, its connections to various invariant generation techniques 
presented earlier. Our previous work presents an extension of the approach presented in this 
paper to infer differential inequality abstractions [sS] . Similar extensions for discrete systems 
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int fermatCint N, int R) 

pre (N >= && R >= 0) : 

int u,v,r; 

u := 2*R -1; 

V := 1; 

r := R*R -N; 
1: while ( r != ){ 
2: while (r > 0) 

(r,v) := (r-v, v+2) ; 
3: while (r < 0) 

(r,v) := (r+u, u+2) ; 

} 

end 



— 4r — 
—r — Nu 
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Figure 5: Fermat's algorithm for prime factorization taken from Bressoud [5] and invariants 
computed at location 1 using polyhedral analysis of the linearization. 



remain unexplored. Furthermore, the use of the abstractions presented here to establish ter- 
mination for transition systems is also a promising line of future research. Future research 
will also focus on the use of Lie symmetries to reduce the size of the ansatz or templates used 
in the search for conserved quantities and CoB transformations 15l |. 
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